Cross-Site Scripting in Grist Spreadsheet Software by Grist Labs
CVE-2026-55659

7.7HIGH

Key Information:

Vendor

Gristlabs

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55659?

Several server-rendered pages in Grist, a Python-based spreadsheet application, improperly handled user-controlled values, leading to potential cross-site scripting vulnerabilities. This issue allowed malicious users to exploit the application by injecting scripts into the pages rendered for other users. Specifically, document names and descriptions could be manipulated, while the OAuth2 end-of-flow page reflected harmful input back into the webpage. If successful, this exploitation enabled attackers to execute scripts within the context of an authenticated session, potentially allowing them to escalate privileges to owner level and compromise document sharing and access settings. This vulnerability was addressed in version 1.7.15.

Affected Version(s)

grist-core < 1.7.15

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.